We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

European Commission adopts communication on EU-US data transfers after Schrems

Transferring personal data from the EU to anywhere outside the EEA is only allowed if high quality protection is ensured.

Article 25(1) of the EU Data Protection Directive (Directive) says that this level of protection is one that is adequate in all circumstances.

Article 26 of the Data Protection Directive explains alternate ways data can be transferred to countries which do not provide the level of protection needed. Transfers can still be permitted if:

They evidence that they can put in place appropriate safe guarding measures. This must be done using the Binding Corporate Rules which are approved by the National Data Protection Authority.

They must rely on one of the derogations which is expressed in Article 26(1) (a) to (f) of the Directive. This can include transfers which are necessary for the performance of a contract between the data subject and controller.

They can transfer data for standard contractual clauses.

The European Commission has made many observations and has found that many countries do not provide the adequate protection which is required. These are as follows:

Contractual Solutions – If a national authority has concerns regarding Safe Harbor, they must bring this to the attention for a judicial review. If the exporter receives information regarding changes to legislation etc. from the importer, they may have to place additional levels of protection, or even stop transferring to that country as a whole.

Intra-group Transfers – These transfers must be authorised by the National Data Protection Authority in each country.

Derogations – The Working Party believes repeated or structural data transfers are not ideal and shouldn’t be carried out for derogation, unless they have very high quality safeguards and work within a specific legal framework.

To conclude, although there are issues regarding the transferring of personal data to those out of the EEA, there are measures in place. If they're followed, this will be sufficient, the data can be used effectively and still be highly protected. This also depends on the willingness of the National Data Protection Authorities and how they take and enforce actions.

Compare jurisdictions: BYOD: Bring Your Own Device

“I make an effort to read at least several articles each day and regularly share the particularly relevant or interesting articles with my colleagues. I greatly appreciate the inclusion of the Lexology service by the State Bar of Texas and have recommended that my friends and colleagues join the Corporate Counsel Section of the State Bar in order to obtain this service for themselves.”